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(54) System and method for cross directory authentication in a public key infrastructure 



(57) System and method for cross directory authen- 
tication in a Public Key Infrastructure. A first directory is 
configured to query a second directory when receiving 
queries regarding signature certificates from a second 
enterprise PKl. The first directory Is part of a first enter- 
prise PKl, and the second directory is part of the second 
enterprise PKl. Access to a first enterprise PKl server is 
attempted by a user. The user presents a signature cer- 



tificate from the second enterprise PKl to the server for 
authentication. A query is sent to the first directory from 
the server to determine If the user Is allowed access to 
the server. A query is sent to the second directory from 
the first directory to determine if the user is a member 
of the second enterprise PKl. The server approves ac- 
cess to the server if the user is a member of the second 
enterprise PKl. 
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Description 

BACKGROUND 

1 . Field of the Invention s 

[0001 ] This invention relates to Public Key Infrastruc- 
tures (PKI), and more specifically to cross directory au- 
thentication in a PKI. 

10 

2. Background Information 

[0002] A public key infrastructure (PKI) is a collection 
of servers and software that enables an organization, 
company, or enterprise to distribute and manage thou- is 
sands of unique public/private cryptographic keys in a 
manner that allows users to reliably determine the iden- 
tity of the owner of each public/private key pair. When 
each member of an enterprise has a unique key, paper- 
based business processes may be transitioned to an on- 20 
line, electronic equivalent. Public/private key pairs have 
the property that for any given public key there exists 
one and only one private key, and vice versa. Public key 
cryptography (I.e., the ability to publicly distribute the en- 
cryption key) can be used to digitally sign documents. If 25 
a particular message can be decrypted using one mem- 
ber of the key pair, then the assumption is that the mes- 
sage must have been encrypted using the other mem- 
ber. If only one person knows the key used to perform 
the encryption of a document in the first place, then the 30 
recipients that can decrypt the document can be sure 
that the sender of the document must be that person. 
[0003] However, for a digital signature to be meaning- 
ful, the recipient of an object signed with the digital sig- 
nature must first be able to reliably determine the owner 35 
and integrity of the key used to sign the object. Public 
infrastructures accomplish this using an electronic doc- 
ument called a digital certificate. Certificates may con- 
tain Information Identifying the owner of the key pair, the 
public component of the pair, and the period of time for *o 
which the certificate is valid. The certificate may also 
identify technical information about the key itself, such 
as the algorithm used to generate the key, and the key 
length. Certificates are generated by organizations, 
companies, or enterprises that are responsible for verl- 4s 
fying the identity of individuals (or in some instances or- 
ganizations) to which certificates are issued. The certi- 
fying organization is known as a certificate authority. 
The certificate authority signs each certificate using a 
private key known only to the certificate authority itself, so 
This allows users of the PKI to verify both the Integrity 
of the certificate and the identity of the authority that Is- 
sued it. By issuing a certificate, a certificate authority is 
stating that it has verified that the public key that appears 
in the certificate (and, by extension, the corresponding ss 
private key) belongs to the individual listed in the certif- 
icate. The integrity with which the registration process 
operates is, therefore, of great Importance. The process 



must provide mechanisms for reliably identifying the in- 
dividual and for verifying that the public key listed in the 
certificate belongs to that individual. 
[0004] Fig. 1 shows a block diagram of an example 
PKI system architecture. Current PKIs that provide 
strong authentication of user identity accomplish this via 
the use of a local registration authority officer (LRAO) 
12. LRAO 12 operates at a work station or server plat- 
form 14 that runs a local registration authority software 
application 16. Server platform 14 may be any known 
computing device that may serve as a server, e.g., com- 
puter, workstation, etc. The local registration authority 
application 16 interfaces to other server platforms that 
may contain applications such as a certificate authority 
application 18, a registration authority application 20, 
and/or a key recovery authority application 22. Each ap- 
plication may be on the same server platform, or on sep- 
arate Individual server platforms 14. A user 10, that is 
using or desires access to the PKI system architecture, 
accesses the system via a web browser 22 on a client 
platform 24. A hardware token 26, such as a smart card, 
may also be operably connectable to client platform 24. 
Typically in current systems, user 10 presents a photo 
I.D. to the local registration authority officer 12 In order 
to authenticate the user's Identity. Local registration au- 
thority officer 12 then uses workstation 1 4 and local reg- 
istration authority application 16 to signal a registration 
authority application 20 to register new user 10 In the 
system. Local registration authority application 1 6 may 
be off-the-shelf product software that comes typically 
bundled with a certificate authority application 18, reg- 
istration authority application 20, and key recovery au- 
thority 22 software. 

[0005] A public/private key pair is generated by either 
the local registration authority application 1 6 or the reg- 
istration authority application 20 (depending on prod- 
ucts chosen and depending on how they've been con- 
figured). The public key Is sent to certificate authority 
application 18 to be slgned s thereby, generating a cer- 
tificate for new user 10. A backup copy of the private 
key may also be sent to key recovery authority applica- 
tion 22, however, normally the private key is kept on a 
token 26, or at client platform 24 by user 10. Once the 
public key is sent to a certificate authority 1 8 and signed, 
a user certificate Is generated and provided to a local 
registration authority server. Local registration authority 
officer 12 copies the certificate (including the private 
key) onto afioppy disk, hardware token, or other storage 
medium, and then provides the certificate and private 
key to the user. 

[0006] Different enterprises generally use different 
PKIs. For example, If enterprise-A wishes to grant ac- 
cess to a server that is part of enterprise-A PKI for a 
userfrom a different enterprise, e.g., enterprise-B, serv- 
er A cannot authenticate the identity of the user from 
enterprise-B since the user from enterprise-B is not a 
part of enterprise-A's PKI, and presents a signature cer- 
tificate from enterprise-B's PKI for authentication. 



EP 1 162 780 A2 



3 

[0007] Currently, a process called cross-certification 
is used to enable multiple enterprises to coordinate cer- 
tificates among enterprise specific PKIs. In current sys- 
tems, a Certificate Authority from a first PKI signs the 
public key of a Certificate Authority from a second PKI. 
Similarly, the Certificate Authority from the second PKI 
signs the public key of the Certificate Authority from the 
first PKI. Now, when a user or server in the first enter- 
prise PKI receives a signature certificate from a user 
from the second enterprise PKI, the user's signature 
certificate from the second enterprise PKI will be signed 
by the Certificate Authority from the first enterprise. 
Generally, a user or server from the first enterprise 
would not know if a signature certificate from a second 
enterprise can be trusted, since the signature certificate 
is from a different PKI. However, since the signature 
from the Certificate Authority from the second enterprise 
has Itself been signed by the Certificate Authority from 
the first enterprise, the user and server from the first en- 
terprise know that the Certificate Authority signature in 
the signature certificate from the second enterprise can 
be trusted. 

[0008] However, current systems such as this are 
problematic in that they do not scale up well. For exam- 
ple, if there are N PKIs, then there are N 2 cross-certlfl- 
catlon slgnlngs that must be accomplished. Therefore, 
a need exists to allow a first enterprise to authenticate 
the identity of a user from a second enterprise within the 
first enterprise network. 

SUMMARY 

[0009] The present invention is directed to a method 
for cross directory authentication in a Public Key Infra- 
structure (PKI) that includes: configuring a first directory 
to query a second directory when receiving queries re- 
garding signature certificates from a second enterprise 
PKI, where the first directory is part of a first enterprise 
PKI, and the second directory is part of the second en- 
terprise PKI; attempting access to a server by a user, 
where the server is part of the first enterprise PKI, and 
the user presents a signature certificate from the second 
enterprise PKI to the server for authentication; sending 
a query to the first directory from the server to determine 
If the user Is allowed access to the server; sending a 
query to the second directory from the first directory to 
determine if the user is a member of the second enter- 
prise PKI; and signaling the server by the first directory 
that the user is allowed access to the server if the user 
is a member of the second enterprise PKI. 
[001 0] The present invention is also directed to a sys- 
tem for cross directory authentication in a Public Key 
Infrastructure (PKI). One or more servers are part of a 
first enterprise PKI. One or more client platforms are us- 
able by one or more users to request access to the serv- 
ers. A second directory contains information on users 
with a signature certificate for a second enterprise PKI. 
The second directory is part of the second enterprise 



PKI. A first directory sends a query to the second direc- 
tory when receiving a query from a server regarding a 
signature certificate for the second enterprise PKI re- 
ceived at the server from a one user for authentication. 
s The query from the server Is sent to the first directory to 
determine if the user is allowed access to the server. 
The first directory is part of the first enterprise PKI. The 
query sent to the second directory from the first directory 
is sentto determine if the user is a member of the second 
10 enterprise PKI. The first directory signals the server that 
the user Is allowed access to the server if the user is a 
member of the second enterprise PKI. The first directory 
and/or the server may configured with information re- 
garding users with signature certificates from the sec- 
ts ond enterprise PKI that are allowed access to the server. 
[001 1 ] The present invention is further directed to an 
article comprising a storage medium having instructions 
stored therein, where the Instructions when executed 
cause a processing device to perform: receiving conflg- 
20 u rati on information that causes the processing device 
to send a query to a directory when receiving queries 
regarding signature certificates for a second enterprise 
PKI, where the processing device is part of a first enter- 
prise PKI. and the directory is part of the second enter- 
25 prise PKI; receiving a query from a server requesting If 
a user Is allowed access to the server, where the server 
is part of the first enterprise PKI; sending a query to the 
directory to determine if the user is a member of the sec- 
ond enterprise PKI; and signaling the server that the us- 
30 er is allowed access to the server if the user is a member 
of the second enterprise PKI. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 [0012] The present invention is further described in 
the detailed description which follows in reference to the 
noted plurality of drawings byway of non-limiting exam- 
ples of embodiments of the present Invention in which 
like reference numerals represent similar parts through- 
40 out the several views of the drawings and wherein: 

Fig. 1 is a block diagram of an example PKI system 
architecture; 

Fig. 2 is a block diagram of an exemplary system 
45 architecture In which PKI processes may be prac- 
ticed according to an example embodiment of the 
present invention; and 

Fig. 3 is a flowchart of an example process for cross 
directory authentication in a public key infrastruc- 
so ture according to an example embodiment of the 
present invention. 

DETAILED DESCRIPTION 

55 [001 3] The particulars shown herein are by way of ex- 
ample and for purposes of illustrative discussion of the 
embodiments of the present invention. The description 
taken with the drawings make it apparent to those skilled 
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in the art how the present invention may be embodied 
in practice. 

[0014] Further, arrangements may be shown in block 
diagram form In order to avoid obscuring the Invention, 
and also In view of the fact that specifics with respect to 
implementation of such block diagram arrangements is 
highly dependent upon the platform within which the 
present invention is to be implemented, i.e., specifics 
should be well within purview of one skilled in the art. 
Where specific details (e.g., circuits, flowcharts) are set 
forth in order to describe example embodiments of the 
invention, It should be apparent to one skilled In the art 
that the invention can be practiced without these specific 
details. Finally, it should be apparent that any combina- 
tion of hard- wired circuitry and software instructions can 
be used to implement embodiments of the present in- 
vention, i.e., the present invention is not limited to any 
specific combination of hardware circuitry and software 
instructions. 

[001 5] Although example embodiments of the present 
invention may be described using an example system 
block diagram in an example host unit environment, 
practice of the invention is not limited thereto, i.e., the 
invention may be able to be practiced with other types 
of systems, and in other types of environments (e.g., 
servers). 

[0016] Reference in the specification to "one embod- 
iment" or "an embodiment" means that a particular fea- 
ture, structure, or characteristic described in connection 
with the embodiment is included in at least one embod- 
iment of the Invention. The appearances of the phrase 
"In one embodiment" In various places In the specifica- 
tion are not necessarily all referring to the same embod- 
iment. 

[0017] Fig. 2 shows a block diagram of an exemplary 
system architecture 100 in which Public Key Infrastruc- 
ture (PKI) processes may be practiced according to an 
example embodiment of the present Invention. The 
present invention Is not limited to the system architec- 
ture 1 00 shown in Fig. 2. The boxes shown in Fig. 2 rep- 
resent entities that may be hardware, software, or a 
combination of the two. The entities are operabiy con- 
nected together on a network. Entities not shown as be- 
ing connected to the network represent one or more hu- 
man beings that perform the function denoted inside the 
box. 

[0018] System architecture 100 includes Data Entry 
102 which performs a data entry function for Authorita- 
tive Database 104. Authoritative Database 104 is resi- 
dent on server platform 106. A server platform 106 is 
referred to In this description but it should be understood 
that the present Invention Is not limited to any particular 
server architecture. Server platform 1 06 may be, for ex- 
ample, UNIX or Windows NT servers. 
[0019] Authoritative database 104 contains informa- 
tion about members of the group or enterprise (e.g., 
company) for which PKI services in accordance with the 
present invention may be performed. The present inven- 



tion is not limited by the structure of the group or enter- 
prise for which information is stored in the authoritative 
database 104. The information contained in Authorita- 
tive database 1 04 may Include, for example, the name, 

5 address, telephone numbers, manager's name, em- 
ployee identification, etc., of the members of the group 
or enterprise. Directory 1 08 contains the same informa- 
tion contained in database 1 04, but is optimized for fast 
look-up of the information stored therein rather than fast 

10 data entry. The information contained in Directory 108 
may be accessed faster than accessing the information 
from database 1 04. Directory 1 08 functions similar to an 
on-line quickly accessible phone book, containing refer- 
ence information about the members of the group or en- 

is terprise stored in authoritative database 104. 

[0020] Certificate Authority 1 1 0 may be conventional 
off-the shelf software executed on server platform 106. 
Certificate Authority 1 1 0 provides storage of certificates 
and related information. This will be described in more 

20 detail hereinafter. Registration authority 112 may also 
be off-the shelf software executable on server platform 
106. Registration authority 112 will also be described in 
more detail hereinafter. Key recovery authority 114 may 
also be off-the shelf server software executable on Serv- 

25 er Platform 1 06, and may provide the function of recov- 
ering keys (e.g., archived or lost keys) for members of 
the group or enterprise. 

[0021 ] A Windows 2000 Domain Certificate Authority 
(CA) 116 is shown with a dotted line connection to the 

30 network and may or may not be part of a system accord- 
ing to the present invention. Windows 2000 is able to 
use PKI certificates for network single sign-on, but Win- 
dows 2000 is designed to use only the Windows Certif- 
icate Authority Windows. Therefore, a system according 

35 to the present invention may include a conventional Cer- 
tificate Authority 1 1 0 as well as a 2000 Domain CA 1 1 6. 
[0022] Legacy server 118 executes legacy application 
programs 120. Legacy server 118 may be, without lim- 
itation, a main frame, mini-computer, workstation or oth- 

*o er server capable of hosting legacy software applica- 
tions. Legacy software applications generally may not 
be designed to be inherently interoperable with a PKI. 
Legacy applications 1 20 may be accessible on the client 
side by a custom client 1 28 such as an emulator or cus- 

45 torn database Graphic User Interface (GUI). Examples 
of emulators are terminal emulators of an IBM 3270 or 
terminal emulators of a vt100. 

[0023] Registration web page 1 22, which may be one 
or more pages, functions as the user interface to system 

50 architecture 100 shown in Fig. 1. Web Server 124 is a 
software application that serves Web Pages (such as 
web page 1 22) or other HTML outputs to a web browser 
client (such as web browser 126). Web Server 124 may 
be any software application that serves Web Pages or 

55 HTML outputs such as, for example, Apache, Microsoft 
Internet Information Server application, etc. 
[0024] Web browser 1 26 is resident on client platform 
1 28 which may be any user computer or computing de- 
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vice. Web browser 126 may be a client software appli- 
cation for browsing web pages such as, for example, 
HTML protocols, XML protocols, or other protocols. 
Web browser 126 may be programmed to operate with 
PKI certificates Issued by certificate authority 110. Ex- 5 
am pies of web browsers which have this capability in- 
clude Netscape Navigator and Microsoft Internet Ex- 
plorer. The token 130 may be a smart card, a device 
with a Universal Serial Bus (USB), or other hardware 
token device capable of generating, storing, and/or us- 10 
ing PKI certificates. 

[0025] A user 1 32 is a person that uses or desires ac- 
cess to system architecture 100. User 132 may transi- 
tion through a number of states which include, for ex- 
ample, a new user, a current user, and a former user. A *s 
former user is no longer a member of the group or en- 
terprise. System architecture 1 00 is described with ref- 
erence to two levels of security with each level corre- 
sponding to a different security requirement. The 
number of the levels of security is not a limitation of the 20 
present invention. The level 1 search engine 134 may 
be a search engine that is permitted to search system 
architecture 100, but is allowed access to only level 1 
data which is the lowest level of security. Level 1 data 
may be, for example, data which is freely distributable 25 
whereas level 2 data may be considered to be proprie- 
tary. A Level 2 search engine 136 may be a search en- 
gine which is allowed to search both level 1 and level 2 
data. A Level N search engine (not illustrated) may be 
a search engine which is allowed to search through 30 
servers possessing Levels 1 through N data. 
[0026] A secured level server with Level 1 data may 
be a web server containing only level 1 data that is se- 
cured so that users may need to have level 1 access (at 
least) to access the level 1 servers. A secured web serv- 35 
er with level 2 data 140 may be a web server that con- 
tains level 2 data that has been secured so that users 
must have at least level 2 access to access the level 2 
servers. A user with level 2 access may have access to 
both level 1 and level 2 servers. A secured web server <*o 
with level N data (not illustrated) is a web server that 
contains level N data which is accessible by users with 
level N or above. Users with level N or above access 
may have access to all levels of data up through level 
N data. 45 
[0027] VPN Extranet 142 may be a software applica- 
tion which functions as a network gateway, which as il- 
lustrated, may be either to legacy server 118 and legacy 
application 120 or to an external network such as the 
Internet. Personal revocation authority 144 may be one so 
or more people that are in charge of revocation of mem- 
bers from system network 1 00. Personal registration au- 
thority 1 46 may be one or more people that are in charge 
of registration of members in system network 100. Per- 
sona! recovery approval 148 may be one or mo re people ss 
that are in charge of obtaining recovery of certificates. 
A Recovery Agent 150 may be one or more people that 
perform recovery of certificates and may only recover a 
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certificate if the certificate has first been designated as 
recoverable by another person. Personal role approval 
1 52 may be one or more people that approve different 
role functions within the system network 100. A web 
server administrator may be one or more people that 
are in charge of various web functions in system network 
100. 

[0028] The present invention relates to systems and • 
methods for cross -directory authentication where a di- 
rectory in a first enterprise PKI receives a queries relat- 
ed to users with signature certificates from a second en- 
terprise PKI. The directory In the first enterprise is con- 
figured to query a directory in the second enterprise PKI 
to validate the user from the second enterprise. The di- 
rectory in the first enterprise PKI (enterprise A) may 
have been provided a directory entry for users from the 
second enterprise PKI (enterprise B) that may access 
one or more servers of the first enterprise PKI. A server 
that is part of the first enterprise PKI may contain data 
that is somewhat proprietary to the first enterprise, but 
may have a non-disclosure agreement with enterprise 
B for some particular project which has data hosted on 
a server (server A) from enterprise A. Therefore, users 
from enterprise B may need access to the data on server 
A which is part of enterprise A. 
[0029] Since different enterprises generally use differ- 
ent PKIs, if enterprise A wishes to grant access to one 
or more of its servers to a user from enterprise B, once 
the user from enterprise B requests access to a server 
from enterprise A, the server from enterprise A sends a 
query to a directory of enterprise A (directory A) to au- 
thenticate the Identity of the user from enterprise B. 
Since the directory at enterprise A may include a direc- 
tory entry for users from enterprise B that may need ac- 
cess to a server in enterprise A, directory A is pro- 
grammed to query a directory from enterprise B (direc- 
tory B) for all queries received by directory A related to 
users in enterprise B. Directory B determines If the user 
is still a member of enterprise B and If so, replies to the 
query from directory A that user B is allowed access to 
the server of enterprise A. Directory A may also be con- 
figured with all users allowed access to servers in en- 
terprise A and, therefore, even though the user from en- 
terprise B is a member of enterprise B, this user may 
not be listed in directory A as having access to a partic- 
ular server of enterprise A, and thus may be denied ac- 
cess to the particular server. 

[0030] Fig. 3 shows a flowchart of an example proc- 
ess for cross-directory authentication according to an 
example embodiment of the present invention. A direc- 
tory in enterprise A may be configured to query a direc- 
tory in enterprise B when receiving enterprise B PKI sig- 
nature certificate queries S1 . An enterprise A web serv- 
er may be configured with enterprise B users (with en- 
terprise B PKI signature certificates) that are allowed ac- 
cess to the enterprise A web server S2. A user from en- 
terprise B attempts access to the enterprise A web serv- 
er and presents a PKI certificate from enterprise B, S3. 
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The enterprise A web server queries the enterprise A 
directory to determine if the user from enterprise B is 
allowed access to the server S4. Enterprise A directory 
notes that the user has a signature certificate from an 
enterprise B PKI and thus queries a directory in enter- 
prise B to authenticate the user from enterprise B S5. 
The enterprise B directory determines if the user is a 
member of enterprise B and confirms or denies that the 
user is a member of enterprise B, S6. The enterprise B 
directory signals the enterprise A directory accordingly. 
If the user is confirmed, the enterprise A directory sig- 
nals the enterprise A web server that the user from en- 
terprise B is allowed access to the server S7. The en- 
terprise A web server then allows the user from enter- 
prise B access if the web server from enterprise A is also 
configured to allow the user from enterprise B access to 
this web server SB. 

[0031] Systems and methods for cross directory au- 
thentication according to the present Invention are ad- 
vantageous since they are less complicated than cur- 
rent processes for cross-PKI certification. The current 
invention is also advantageous in that even in the case 
of a totally comprised PKI for enterprise B, the present 
invention only allows access to data on a mutually 
shared server. Data that resides on a server maintained 
by only one of the two enterprises remains secure. 
[0032] It is noted that the foregoing examples have 
been provided merely for the purpose of explanation 
and are in no way to be construed as limiting of the 
present invention. While the present invention has been 
described with reference to a preferred embodiment, it 
is understood that the words which have been used 
herein are words of description and illustration, rather 
than words of limitation. Changes may be made within 
the purview of the appended claims, as presently stated 
and as amended, without departing from the scope and 
spirit of the present invention in its aspects. Although 
the present invention has been described herein with 
reference to particular methods, materials, and embod- 
iments, the present invention is not intended to be lim- 
ited to the particulars disclosed herein, rather, the 
present invention extends to all functionally equivalent 
structures, methods and uses, such as are within the 
scope of the appended claims. 



Claims 

1. A method for cross directory authentication in a 
Public Key Infrastructure (PKI) comprising: 

configuring a first directory to query a second 
directory when receiving queries regarding sig- 
nature certificates from a second enterprise 
PKI, the first directory being part of a first en- 
terprise PKI, the second directory being part of 
the second enterprise PKI; 
attempting access to a server by a user, the 
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server being part of the first enterprise PKI , the 
user presenting a signature certificate from the 
second enterprise PKI to the server for authen- 
tication; 

sending a query to the first directory from the 
server to determine if the user is allowed ac- 
cess to the server; 

sending a query to the second directory from 
the first directory to determine if the user is a 
member of the second enterprise PKI; and 
signaling the server by the first directory that 
the user is allowed access to the server If the 
user is a member of the second enterprise PKI. 

The method according to claim 1 , further compris- 
ing configuring the first directory by a network ad- 
ministrator. 

The method according to claim 1 , further compris- 
ing configuring the server with information regard- 
ing users with signature certificates from the second 
enterprise PKI that are allowed access to the server. 

The method according to claim 1 , further compris- 
ing configuring the first directory with information re- 
garding users with signature certificates from the 
second enterprise PKI that are allowed access to 
the server. 

The method according to claim 4, further compris- 
ing configuring the server by a network administra- 
tor. 

A system for cross directory authentication in a Pub- 
lic Key Infrastructure (PKI) comprising: 

at least one server, the at least one serverbeing 
part of a first enterprise PKI; 
at least one client platform, the at least one cli- 
ent platform usable by at least one user to re- 
quest access to the at least one server; 
a second directory, the second directory con- 
taining information on at least one user with a 
signature certificate for a second enterprise 
PKI, the second directory being part of the sec- 
ond enterprise PKI; and 
a first directory, the first directory sending a 
query to the second directory when receiving a 
query from at least one server regarding a sig- 
nature certificate for the second enterprise PKI 
received at the at least one server from at least 
one user for authentication, the query from the 
at least one server sent to the first directory to 
determine if the at least one user is allowed ac- 
cess to the at least one server, the first directory 
being part of the first enterprise PKI, the query 
sent to the second directory from the first direc- 
tory being sent to determine if the at least one 
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user is a member of the second enterprise PKI , 
the first directory signaling the at least one serv- 
er that the at least one user is allowed access 
to the at least one server if the user is a member 
of the second enterprise PKI. s 

7. The system according to claim 6, wherein the first 
directory comprises a database. 

8. The system according to claim 6, wherein the sec- to 
ond directory comprises a database. 

9. The system according to claim 6, wherein the at 
least one server, the at least one client platform, and 

the first directory are operably connected via a net- is 
work. 

10. An article comprising a storage medium having in- 
structions stored therein, the instructions when ex- 
ecuted causing a processing device to perform: 20 

receiving configuration information that causes 
the processing device to send a query to a di- 
rectory when receiving queries regarding sig- 
nature certificates for a second enterprise PKI , 25 
the processing device being part of a first en- 
terprise PKI, the directory being part of the sec- 
ond enterprise PKI; 

receiving a query from a server requesting if a 
user is allowed access to the server, the server 30 
being part of the first enterprise PKI; 
sending a query to the directory to determine if 
the user is a member of the second enterprise 
PKI; and 

signaling the server that the user is allowed ac- 35 
cess to the server if the user is a member of the 
second enterprise PKI. 
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